Add AQL queries and schedule runs to generate results. If you configured an email server
during configuration, you can share the results with colleagues by email.
-
From the main page of the app, click Add query.
- In the Add new query window, enter a unique Query
name.
- Enter your AQL query. For example,
SELECT * FROM EVENTS.
- If you set up an email server during configuration, enter the email addresses to notify
and select the format for the email attachment when the query completes. For more information, see
Configuring QRadar Event and Flow Exporter.
- If you want to run your queries automatically at specific intervals, pick a schedule for
running the query. You can also choose to end the schedule after a set number of query runs, such as
three occurrences.
- To view a sample run of your added query, click Preview. The
preview checks for syntax errors in your query so that queries with syntactical errors are not added
to the app.
- Save your AQL query with the data you provided.
- To edit the email or schedule details, click the query name link to open the
Query details window. Make your changes and save them.
Important: You cannot edit the query name or the AQL query string because they are
associated with query results (see step 9).
- To edit the query string, click Copy to copy it to the clipboard
and paste it into a text editor. Modify the query string and then create a new query with the
updated AQL query string.
- To delete the query from QRadar® Event and Flow Exporter, select the relevant checkbox
and then click the trash can icon in the menu bar.
Any associated query results and schedules are also deleted for the
query.
The query is added to the Queries table.